CVE-2019-16148

Vulnerability

CVE-2019-16148 describes a stored cross-site scripting (XSS) vulnerability in the Sakai learning management system, affecting versions through 12.6. The root cause is that the chat tool fails to escape user names when rendering chat messages, allowing an attacker to inject arbitrary HTML or JavaScript into the page [1][2].

Exploitation

An authenticated user can set a chat user name containing malicious JavaScript. When other users view the chat, the injected script executes in their browsers. No additional privileges are required beyond the ability to participate in a chat session [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of other users' sessions. This can lead to session hijacking, data theft, or unauthorized actions performed on behalf of the victim [1].

Mitigation

The vulnerability is fixed in Sakai 12.7 and later. The patch, implemented in pull request #6971, uses fn:escapeXml to properly escape user names in the chat JSP template [2]. Users are advised to upgrade to a patched version.